[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] Re: CVEs for Drupal contributed modules - January 2015
From:       cve-assign () mitre ! org
Date:       2015-04-22 21:25:08
Message-ID: Pine.LNX.4.64.1504221723230.26645 () beijing ! mitre ! org
[Download RAW message or body]


On Tue, 21 Apr 2015, Pere Orga wrote:

> On Tue, Apr 21, 2015 at 7:52 PM,  <cve-assign@mitre.org> wrote:
>>
>
> [...]
>
>>> SA-CONTRIB-2015-033 - Certify - Access bypass
>>> SA-CONTRIB-2015-033 - Certify - Information disclosure
>>> https://www.drupal.org/node/2415947
>>
>>
>> It is not clear whether there should be a single CVE or multiple CVEs.
>>
>> Both "Access bypass" and "Information Disclosure" are mentioned in
>> <font color="FF0000"><i>SA-CONTRIB-2015-033, along with the phrase "Multiple
>> vulnerabilities."
>> However, SA-CONTRIB-2015-033 also says that "The module does not
>> sufficiently check node access when showing (and creating) the PDF
>> certificates. This can lead to users seeing certificates they should
>> not have access to."  This suggests a single root cause - lack of node
>> access checks - which could lead to information disclosure.  If so,
>> then from the CVE perspective, this would be one vulnerability and one
>> ID would be assigned.
>>
>
> Yes, that sounds right.

Use CVE-2015-3404.

---

CVE assignment team, MITRE CVE Numbering Authority M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
[prev in list] [next in list] [prev in thread] [next in thread]